New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 112983 link

Starred by 18 users

Issue metadata

Status: Verified
Last visit > 30 days ago
Closed: Feb 2012
EstimatedDays: ----
NextAction: ----
OS: Linux
Pri: 2
Type: Bug-Security

  • Only users with EditIssue permission may comment.

Sign in to add a comment

Browser crash with FTP video source

Reported by, Feb 7 2012

Issue description

Chrome Version       : 17.0.963.46 (Official Build 119351) beta
OS Version: Linux (Debian 6.0.4, x86_64)
URLs (if applicable) :
Other browsers tested:
  Add OK or FAIL after other browsers where you have tested this issue:
     Safari 5:
  Firefox 4.x: OK
     IE 7/8/9:

What steps will reproduce the problem?
1. $ echo "<video src=ftp://1>" > ftp.html
2. ...
3. $ google-chrome ftp.html

What is the expected result?
Chrome doesn't crash.

What happens instead?
Chrome IO thread crashes taking the rest of the browser with it.

Please provide any additional information below. Attach a screenshot if

This looks like a plain null deref, so not reporting as a security bug.

20 bytes View Download

Comment 1 by, Feb 7 2012

Trace from 19.0.1031.0 (Developer Build 120523) / ASan:

==14494== ERROR: AddressSanitizer crashed on unknown address 0x000000000000 (pc 0x7fc777675f7c sp 0x7fc760c0a9c0 bp 0x7fc760c0b0d0 T10)
AddressSanitizer can not provide additional info. ABORTING
    #0 0x7fc777675f7c in net::URLRequestFtpJob::StartTransaction() ???:0
    #1 0x7fc77767771e in net::URLRequestFtpJob::Start() ???:0
    #2 0x7fc7774b88f2 in net::URLRequest::StartJob(net::URLRequestJob*) ???:0
    #3 0x7fc7774b818d in net::URLRequest::Start() ???:0
    #4 0x7fc77b006ada in ResourceQueue::AddRequest(net::URLRequest*, ResourceDispatcherHostRequestInfo const&) ???:0
    #5 0x7fc77afe7534 in ResourceDispatcherHost::BeginRequestInternal(net::URLRequest*) ???:0
    #6 0x7fc77afe5ae8 in ResourceDispatcherHost::BeginRequest(int, ResourceHostMsg_Request const&, IPC::Message*, int) ???:0
    #7 0x7fc77afe250a in ResourceDispatcherHost::OnMessageReceived(IPC::Message const&, ResourceMessageFilter*, bool*) ???:0
    #8 0x7fc77b0053f9 in ResourceMessageFilter::OnMessageReceived(IPC::Message const&, bool*) ???:0
    #9 0x7fc77ae1d69d in content::BrowserMessageFilter::DispatchMessage(IPC::Message const&) ???:0
    #10 0x7fc77ae1d3b7 in content::BrowserMessageFilter::OnMessageReceived(IPC::Message const&) ???:0
    #11 0x7fc7781e22a4 in IPC::ChannelProxy::Context::OnMessageReceived(IPC::Message const&) ???:0
    #12 0x7fc7781dc92b in IPC::Channel::ChannelImpl::ProcessIncomingMessages() ???:0
    #13 0x7fc7781e0325 in IPC::Channel::ChannelImpl::OnFileCanReadWithoutBlocking(int) ???:0
    #14 0x7fc7769f26de in base::MessagePumpLibevent::OnLibeventNotification(int, short, void*) ???:0
    #15 0x7fc776b24d17 in event_base_loop ???:0
    #16 0x7fc7769f2d79 in base::MessagePumpLibevent::Run(base::MessagePump::Delegate*) ???:0
    #17 0x7fc776a57bae in MessageLoop::RunInternal() ???:0
    #18 0x7fc776a55d9f in MessageLoop::Run() ???:0
    #19 0x7fc776ad04fc in base::Thread::ThreadMain() ???:0
    #20 0x7fc776ac756c in base::(anonymous namespace)::ThreadFunc(void*) base/threading/
    #21 0x7fc77c8934e7 in __asan::AsanThread::ThreadStart() ??:0
Stats: 52M malloced (71M for red zones) by 220636 calls
Stats: 1M realloced by 4309 calls
Stats: 38M freed by 144223 calls
Stats: 0M really freed by 0 calls
Stats: 160M (40978 full pages) mmaped in 40 calls
  mmaps   by size class: 8:196596; 9:16382; 10:24570; 11:4094; 12:2048; 13:1024; 14:512; 15:128; 16:192; 17:32; 18:16; 19:8; 21:2; 22:4;
  mallocs by size class: 8:185774; 9:11220; 10:18987; 11:2480; 12:1040; 13:535; 14:297; 15:99; 16:170; 17:18; 18:10; 19:1; 21:1; 22:4;
  frees   by size class: 8:116590; 9:6332; 10:18248; 11:1613; 12:679; 13:262; 14:249; 15:77; 16:154; 17:7; 18:8; 19:1; 21:1; 22:2;
  rfrees  by size class:
Stats: malloc large: 34 small slow: 871

Labels: Feature-Media-Audio
Status: Untriaged
Thank you for filing this issue. Please allow us some time to take a look at the issue. 
Labels: -Feature-Media-Audio Feature-Media Stability-Crash
Repro on Win 7. Crash ID: 8600170923e4aab6 
Doesn't happen with <image src="ftp://1" /> 
Status: Started
Project Member

Comment 5 by, Feb 10 2012

The following revision refers to this bug:

r121378 | | Thu Feb 09 17:56:25 PST 2012

Changed paths:

Give the media context an ftp job factory; prevent a browser crash.

BUG= 112983 

Review URL:

Comment 6 by, Feb 10 2012

Status: Fixed
Status: Verified
Win7, gc: 19.0.1044.0 (Official Build 122251) canary - unable to reproduce 
crash doesn't happen. Verified. 

and I was able to reproduce on: Ubuntu, gc: 18.0.1025.33 (Official Build 122015) beta 
my gc crashed. 

Status: Fixed 
can you specify on which platform and which chrome build the fixes were applied to? 
thank you, 

alekyoo: fix applies to all platforms.  m18 was branched before the fix landed, so I would expect current m19 to have the fix and m18 and earlier to not have it.
Status: Verified
Thank you, tried with 19.0.1041.0 dev, unable to reproduce. 

 Issue 114662  has been merged into this issue.
 Issue 106742  has been merged into this issue.
 Issue 117163  has been merged into this issue.

Comment 15 by, Mar 26 2012

 Issue 119995  has been merged into this issue.
Labels: -Type-Bug Type-Security SecSeverity-Low Mstone-18 Merge-Approved
 Issue 123881  has been merged into this issue.
Labels: -Mstone-18 -Merge-Approved Mstone-19
I don't think we need this for M18 so marking done for M19.
 Issue 125459  has been merged into this issue.
 Issue 126618  has been merged into this issue.
Labels: CVE-2011-3083
 Issue 127924  has been merged into this issue.
(And it does appear to be fixed on TOT, so we're good.)
Project Member

Comment 25 by, Oct 13 2012

Labels: Restrict-AddIssueComment-Commit
This issue has been closed for some time. No one will pay attention to new comments.
If you are seeing this bug or have new data, please click New Issue to start a new bug.
Project Member

Comment 26 by, Mar 10 2013

Labels: -Type-Security -Feature-Media -SecSeverity-Low -Mstone-19 Security-Severity-Low Cr-Internals-Media M-19 Type-Bug-Security
Project Member

Comment 27 by, Mar 11 2013

Labels: -Area-Undefined
Project Member

Comment 28 by, Mar 14 2013

Labels: -Restrict-AddIssueComment-Commit Restrict-AddIssueComment-EditIssue
Project Member

Comment 29 by, Mar 21 2013

Labels: -Security-Severity-Low Security_Severity-Low
Project Member

Comment 30 by, Oct 1 2016

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit - Your friendly Sheriffbot
Project Member

Comment 31 by, Oct 1 2016

Labels: Restrict-View-SecurityNotify
Project Member

Comment 32 by, Oct 2 2016

Labels: -Restrict-View-SecurityNotify
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit - Your friendly Sheriffbot
Labels: allpublic
Labels: CVE_description-submitted

Sign in to add a comment